Create a new embeddedSCTs1 that's signed using SHA256
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
GH: #10786
(cherry picked from commit 4d9e8c95544d7a86765e6a46951dbe17b801875a)
Kurt Roeckx
4 years ago
| 0 | -----BEGIN PUBLIC KEY----- | |
| 1 | MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmXg8sUUzwBYaWrRb+V0IopzQ6o3U | |
| 2 | yEJ04r5ZrRXGdpYM8K+hB0pXrGRLI0eeWz+3skXrS0IO83AhA3GpRL6s6w== | |
| 3 | -----END PUBLIC KEY----- |
| 0 | -----BEGIN EC PRIVATE KEY----- | |
| 1 | MHcCAQEEIFLw4uhuCruGKjrS9MoNeXFbypqZe+Sgh+EL1gnRn1d4oAoGCCqGSM49 | |
| 2 | AwEHoUQDQgAEmXg8sUUzwBYaWrRb+V0IopzQ6o3UyEJ04r5ZrRXGdpYM8K+hB0pX | |
| 3 | rGRLI0eeWz+3skXrS0IO83AhA3GpRL6s6w== | |
| 4 | -----END EC PRIVATE KEY----- |
| 0 | 0 | -----BEGIN RSA PRIVATE KEY----- |
| 1 | MIICWwIBAAKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/BH634c4VyVui+A7k | |
| 2 | WL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWkEM2cW9tdSSdyba8X | |
| 3 | EPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWwFAn/Xdh+tQIDAQAB | |
| 4 | AoGAK/daG0vt6Fkqy/hdrtSJSKUVRoGRmS2nnba4Qzlwzh1+x2kdbMFuaOu2a37g | |
| 5 | PvmeQclheKZ3EG1+Jb4yShwLcBCV6pkRJhOKuhvqGnjngr6uBH4gMCjpZVj7GDMf | |
| 6 | flYHhdJCs3Cz/TY0wKN3o1Fldil2DHR/AEOc1nImeSp5/EUCQQDjKS3W957kYtTU | |
| 7 | X5BeRjvg03Ug8tJq6IFuhTFvUJ+XQ5bAc0DmxAbQVKqRS7Wje59zTknVvS+MFdeQ | |
| 8 | pz4dGuV7AkEA1y0X2yarIls+0A/S1uwkvwRTIkfS+QwFJ1zVya8sApRdKAcidIzA | |
| 9 | b70hkKLilU9+LrXg5iZdFp8l752qJiw9jwJAXjItN/7mfH4fExGto+or2kbVQxxt | |
| 10 | 9LcFNPc2UJp2ExuL37HrL8YJrUnukOF8KJaSwBWuuFsC5GwKP4maUCdfEQJAUwBR | |
| 11 | 83c3DEmmMRvpeH4erpA8gTyzZN3+HvDwhpvLnjMcvBQEdnDUykVqbSBnxrCjO+Fs | |
| 12 | n1qtDczWFVf8Cj2GgQJAQ14Awx32Cn9sF+3M+sEVtlAf6CqiEbkYeYdSCbsplMmZ | |
| 13 | 1UoaxiwXY3z+B7epsRnnPR3KaceAlAxw2/zQJMFNOQ== | |
| 1 | MIIEpQIBAAKCAQEAuIjpA4/iCpDA2mjywI5zG6IBX6bNcRQYDsB7Cv0VonNXtJBw | |
| 2 | XxMENP4jVpvEmWpJ5iMBknGHV+XWBkngYapczIsY4LGn6aMU6ySABBVQpNOQSRfT | |
| 3 | 48xGGPR9mzOBG/yplmpFOVq1j+b65lskvAXKYaLFpFn3oY/pBSdcCNBP8LypVXAJ | |
| 4 | b3IqEXsBL/ErgHG9bgIRP8VxBAaryCz77kLzAXkfHL2LfSGIfNONyEKB3xI94S4L | |
| 5 | eouOSoWL1VkEfJs87vG4G5xoXw3KOHyiueQUUlMnu8p+Bx0xPVKPEsLje3R9k0rG | |
| 6 | a5ca7dXAn9UypKKp25x4NXpnjGX5txVEYfNvqQIDAQABAoIBAE0zqhh9Z5n3+Vbm | |
| 7 | tTht4CZdXqm/xQ9b0rzJNjDgtN5j1vuJuhlsgUQSVoJzZIqydvw7BPtZV8AkPagf | |
| 8 | 3Cm/9lb0kpHegVsziRrfCFes+zIZ+LE7sMAKxADIuIvnvkoRKHnvN8rI8lCj16/r | |
| 9 | zbCD06mJSZp6sSj8ZgZr8wsU63zRGt1TeGM67uVW4agphfzuKGlXstPLsSMwknpF | |
| 10 | nxFS2TYbitxa9oH76oCpEk5fywYsYgUP4TdzOzfVAgMzNSu0FobvWl0CECB+G3RQ | |
| 11 | XQ5VWbYkFoj5XbE5kYz6sYHMQWL1NQpglUp+tAQ1T8Nca0CvbSpD77doRGm7UqYw | |
| 12 | ziVQKokCgYEA6BtHwzyD1PHdAYtOcy7djrpnIMaiisSxEtMhctoxg8Vr2ePEvMpZ | |
| 13 | S1ka8A1Pa9GzjaUk+VWKWsTf+VkmMHGtpB1sv8S7HjujlEmeQe7p8EltjstvLDmi | |
| 14 | BhAA7ixvZpXXjQV4GCVdUVu0na6gFGGueZb2FHEXB8j1amVwleJj2lcCgYEAy4f3 | |
| 15 | 2wXqJfz15+YdJPpG9BbH9d/plKJm5ID3p2ojAGo5qvVuIJMNJA4elcfHDwzCWVmn | |
| 16 | MtR/WwtxYVVmy1BAnmk6HPSYc3CStvv1800vqN3fyJWtZ1P+8WBVZWZzIQdjdiaU | |
| 17 | JSRevPnjQGc+SAZQQIk1yVclbz5790yuXsdIxf8CgYEApqlABC5lsvfga4Vt1UMn | |
| 18 | j57FAkHe4KmPRCcZ83A88ZNGd/QWhkD9kR7wOsIz7wVqWiDkxavoZnjLIi4jP9HA | |
| 19 | jwEZ3zER8wl70bRy0IEOtZzj8A6fSzAu6Q+Au4RokU6yse3lZ+EcepjQvhBvnXLu | |
| 20 | ZxxAojj6AnsHzVf9WYJvlI0CgYEAoATIw/TEgRV/KNHs/BOiEWqP0Co5dVix2Nnk | |
| 21 | 3EVAO6VIrbbE3OuAm2ZWeaBWSujXLHSmVfpoHubCP6prZVI1W9aTkAxmh+xsDV3P | |
| 22 | o3h+DiBTP1seuGx7tr7spQqFXeR3OH9gXktYCO/W0d3aQ7pjAjpehWv0zJ+ty2MI | |
| 23 | fQ/lkXUCgYEAgbP+P5UmY7Fqm/mi6TprEJ/eYktji4Ne11GDKGFQCfjF5RdKhdw1 | |
| 24 | 5+elGhZes+cpzu5Ak6zBDu4bviT+tRTWJu5lVLEzlHHv4nAU7Ks5Aj67ApH21AnP | |
| 25 | RtlATdhWOt5Dkdq1WSpDfz5bvWgvyBx9D66dSmQdbKKe2dH327eQll4= | |
| 14 | 26 | -----END RSA PRIVATE KEY----- |
| 0 | 0 | -----BEGIN CERTIFICATE----- |
| 1 | MIIDWTCCAsKgAwIBAgIBBzANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk | |
| 1 | MIIDeDCCAuGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk | |
| 2 | 2 | MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX |
| 3 | YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw | |
| 4 | MDAwMDBaMFIxCzAJBgNVBAYTAkdCMSEwHwYDVQQKExhDZXJ0aWZpY2F0ZSBUcmFu | |
| 5 | c3BhcmVuY3kxDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGfMA0G | |
| 6 | CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/ | |
| 7 | BH634c4VyVui+A7kWL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWk | |
| 8 | EM2cW9tdSSdyba8XEPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWw | |
| 9 | FAn/Xdh+tQIDAQABo4IBOjCCATYwHQYDVR0OBBYEFCAxVBryXAX/2GWLaEN5T16Q | |
| 10 | Nve0MH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQswCQYD | |
| 11 | VQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4w | |
| 12 | DAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAJBgNVHRMEAjAAMIGK | |
| 13 | BgorBgEEAdZ5AgQCBHwEegB4AHYA3xwuwRUAlFJHqWFoMl3cXHlZ6PfG04j8AC4L | |
| 14 | vT9012QAAAE92yffkwAABAMARzBFAiBIL2dRrzXbplQ2vh/WZA89v5pBQpSVkkUw | |
| 15 | KI+j5eI+BgIhAOTtwNs6xXKx4vXoq2poBlOYfc9BAn3+/6EFUZ2J7b8IMA0GCSqG | |
| 16 | SIb3DQEBBQUAA4GBAIoMS+8JnUeSea+goo5on5HhxEIb4tJpoupspOghXd7dyhUE | |
| 17 | oR58h8S3foDw6XkDUmjyfKIOFmgErlVvMWmB+Wo5Srer/T4lWsAERRP+dlcMZ5Wr | |
| 18 | 5HAxM9MD+J86+mu8/FFzGd/ZW5NCQSEfY0A1w9B4MHpoxgdaLiDInza4kQyg | |
| 3 | YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMDAxMjUxMTUwMTNaGA8yMTIwMDEy | |
| 4 | NjExNTAxM1owGTEXMBUGA1UEAwwOc2VydmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3 | |
| 5 | DQEBAQUAA4IBDwAwggEKAoIBAQC4iOkDj+IKkMDaaPLAjnMbogFfps1xFBgOwHsK | |
| 6 | /RWic1e0kHBfEwQ0/iNWm8SZaknmIwGScYdX5dYGSeBhqlzMixjgsafpoxTrJIAE | |
| 7 | FVCk05BJF9PjzEYY9H2bM4Eb/KmWakU5WrWP5vrmWyS8BcphosWkWfehj+kFJ1wI | |
| 8 | 0E/wvKlVcAlvcioRewEv8SuAcb1uAhE/xXEEBqvILPvuQvMBeR8cvYt9IYh8043I | |
| 9 | QoHfEj3hLgt6i45KhYvVWQR8mzzu8bgbnGhfDco4fKK55BRSUye7yn4HHTE9Uo8S | |
| 10 | wuN7dH2TSsZrlxrt1cCf1TKkoqnbnHg1emeMZfm3FURh82+pAgMBAAGjggEMMIIB | |
| 11 | CDAdBgNVHQ4EFgQUtMa8XD5ylrF9AqCdnPEhXa63H2owHwYDVR0jBBgwFoAUX52I | |
| 12 | Dchz5lTU+A3Y5rDBJLRHw1UwCQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcD | |
| 13 | ATCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN8cLsEVAJRSR6lhaDJd3Fx5Wej3xtOI | |
| 14 | /AAuC70/dNdkAAABb15m6AAAAAQDAEcwRQIgfDPo8RArm/vcSEZ608Q1u+XQ55QB | |
| 15 | u67SZEuZxLpbUM0CIQDRsgcTud4PDy8Cgg+lHeAS7UxgSKBbWAznYOuorwNewzAZ | |
| 16 | BgNVHREEEjAQgg5zZXJ2ZXIuZXhhbXBsZTANBgkqhkiG9w0BAQsFAAOBgQCWFKKR | |
| 17 | RNkDRzB25NK07OLkbzebhnpKtbP4i3blRx1HAvTSamf/3uuHI7kfiPJorJymJpT1 | |
| 18 | IuJvSVKyMu1qONWBimiBfiyGL7+le1izHEJIP5lVTbddfzSIBIvrlHHcWIOL3H+W | |
| 19 | YT6yTEIzJuO07Xp61qnB1CE2TrinUWlyC46Zkw== | |
| 19 | 20 | -----END CERTIFICATE----- |
| 1 | 1 | Version : v1 (0x0) |
| 2 | 2 | Log ID : DF:1C:2E:C1:15:00:94:52:47:A9:61:68:32:5D:DC:5C: |
| 3 | 3 | 79:59:E8:F7:C6:D3:88:FC:00:2E:0B:BD:3F:74:D7:64 |
| 4 | Timestamp : Apr 5 17:04:16.275 2013 GMT | |
| 4 | Timestamp : Jan 1 00:00:00.000 2020 GMT | |
| 5 | 5 | Extensions: none |
| 6 | 6 | Signature : ecdsa-with-SHA256 |
| 7 | 30:45:02:20:48:2F:67:51:AF:35:DB:A6:54:36:BE:1F: | |
| 8 | D6:64:0F:3D:BF:9A:41:42:94:95:92:45:30:28:8F:A3: | |
| 9 | E5:E2:3E:06:02:21:00:E4:ED:C0:DB:3A:C5:72:B1:E2: | |
| 10 | F5:E8:AB:6A:68:06:53:98:7D:CF:41:02:7D:FE:FF:A1: | |
| 11 | 05:51:9D:89:ED:BF:08⏎ | |
| 7 | 30:45:02:20:7C:33:E8:F1:10:2B:9B:FB:DC:48:46:7A: | |
| 8 | D3:C4:35:BB:E5:D0:E7:94:01:BB:AE:D2:64:4B:99:C4: | |
| 9 | BA:5B:50:CD:02:21:00:D1:B2:07:13:B9:DE:0F:0F:2F: | |
| 10 | 02:82:0F:A5:1D:E0:12:ED:4C:60:48:A0:5B:58:0C:E7: | |
| 11 | 60:EB:A8:AF:03:5E:C3 |
Binary diff not shown
| 0 | -----BEGIN RSA PRIVATE KEY----- | |
| 1 | MIICXAIBAAKBgQDVimhTYhCicRmTbneDIRgcKkATxtB7jHbrkVfT0PtLO1FuzsvR | |
| 2 | yY2RxS90P6tjXVUJnNE6uvMa5UFEJFGnTHgW8iQ8+EjPKDHM5nugSlojgZ88ujfm | |
| 3 | JNnDvbKZuDnd/iYx0ss6hPx7srXFL8/BT/9Ab1zURmnLsvfP34b7arnRsQIDAQAB | |
| 4 | AoGAJLR6xEJp+5IXRFlLn7WTkFvO0ddtxJ7bXhiIkTctyruyfqp7LF9Jv1G2m3PK | |
| 5 | QPUtBc73w/GYkfnwIwdfJbOmPHL7XyEGHZYmEXgIgEtw6LXvAv0G5JpUnNwsSBfL | |
| 6 | GfSQqI5Z5ytyzlJXkMcTGA2kTgNAYc73h4EnU+pwUnDPdAECQQD2aj+4LtYk1XPq | |
| 7 | r3gjgI6MoGvgYJfPmAtZhxxVbhXQKciFUCAcBiwlQdHIdLWE9j65ctmZRWidKifr | |
| 8 | 4O4nz+TBAkEA3djNW/rTQq5fKZy+mCF1WYnIU/3yhJaptzRqLm7AHqe7+hdrGXJw | |
| 9 | +mCtU8T3L/Ms8bH1yFBZhmkp1PbR8gl48QJAQo70YyWThiN5yfxXcQ96cZWrTdIJ | |
| 10 | b3NcLXSHPLQdhDqlBQ1dfvRT3ERpC8IqfZ2d162kBPhwh3MpkVcSPQK0gQJAC/dY | |
| 11 | xGBYKt2a9nSk9zG+0bCT5Kvq++ngh6hFHfINXNnxUsEWns3EeEzkrIMQTj7QqszN | |
| 12 | lBt5aL2dawZRNrv6EQJBAOo4STF9KEwQG0HLC/ryh1FeB0OBA5yIepXze+eJVKei | |
| 13 | T0cCECOQJKfWHEzYJYDJhyEFF/sYp9TXwKSDjOifrsU= | |
| 14 | -----END RSA PRIVATE KEY----- |
| 32 | 32 | 55:83:D2:9D:E5:A1:8D:B6:3D:A6:73:89:42:32:9C:91: |
| 33 | 33 | 0F:3B:6A:74:02:21:00:86:EE:10:F9:10:E6:7B:17:65: |
| 34 | 34 | D9:2D:37:53:4A:3B:F0:AE:03:E4:21:76:37:EF:AF:B4: |
| 35 | 44:2E:2B:F5:5C:C6:91⏎ | |
| 35 | 44:2E:2B:F5:5C:C6:91 |
| 287 | 287 | cert "$cert" "" -signkey "${key}.pem" -set_serial 1 -days -1 "$@" |
| 288 | 288 | } |
| 289 | 289 | |
| 290 | genct() { | |
| 291 | local OPTIND=1 | |
| 292 | local purpose=serverAuth | |
| 293 | ||
| 294 | while getopts p: o | |
| 295 | do | |
| 296 | case $o in | |
| 297 | p) purpose="$OPTARG";; | |
| 298 | *) echo "Usage: $0 genct [-p EKU] cn keyname certname cakeyname cacertname ctlogkey" >&2 | |
| 299 | return 1;; | |
| 300 | esac | |
| 301 | done | |
| 302 | ||
| 303 | shift $((OPTIND - 1)) | |
| 304 | local cn=$1; shift | |
| 305 | local key=$1; shift | |
| 306 | local cert=$1; shift | |
| 307 | local cakey=$1; shift | |
| 308 | local ca=$1; shift | |
| 309 | local logkey=$1; shift | |
| 310 | ||
| 311 | exts=$(printf "%s\n%s\n%s\n%s\n%s\n%s\n[alts]\n%s\n" \ | |
| 312 | "subjectKeyIdentifier = hash" \ | |
| 313 | "authorityKeyIdentifier = keyid, issuer" \ | |
| 314 | "basicConstraints = CA:false" \ | |
| 315 | "extendedKeyUsage = $purpose" \ | |
| 316 | "1.3.6.1.4.1.11129.2.4.3 = critical,ASN1:NULL"\ | |
| 317 | "subjectAltName = @alts" "DNS=${cn}") | |
| 318 | csr=$(req "$key" "CN = $cn") || return 1 | |
| 319 | echo "$csr" | | |
| 320 | cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \ | |
| 321 | -set_serial 2 -days "${DAYS}" "$@" | |
| 322 | cat ${cert}.pem ${ca}.pem > ${cert}-chain.pem | |
| 323 | go run github.com/google/certificate-transparency-go/ctutil/sctgen \ | |
| 324 | --log_private_key ${logkey}.pem \ | |
| 325 | --timestamp="2020-01-01T00:00:00Z" \ | |
| 326 | --cert_chain ${cert}-chain.pem \ | |
| 327 | --tls_out ${cert}.tlssct | |
| 328 | rm ${cert}-chain.pem | |
| 329 | filesize=$(wc -c <${cert}.tlssct) | |
| 330 | exts=$(printf "%s\n%s\n%s\n%s\n%s%04X%04X%s\n%s\n[alts]\n%s\n" \ | |
| 331 | "subjectKeyIdentifier = hash" \ | |
| 332 | "authorityKeyIdentifier = keyid, issuer" \ | |
| 333 | "basicConstraints = CA:false" \ | |
| 334 | "extendedKeyUsage = $purpose" \ | |
| 335 | "1.3.6.1.4.1.11129.2.4.2 = ASN1:FORMAT:HEX,OCT:" $((filesize+2)) $filesize `xxd -p ${cert}.tlssct | tr -d '\n'` \ | |
| 336 | "subjectAltName = @alts" "DNS=${cn}") | |
| 337 | echo "$csr" | | |
| 338 | cert "$cert" "$exts" -CA "${ca}.pem" -CAkey "${cakey}.pem" \ | |
| 339 | -set_serial 2 -days "${DAYS}" "$@" | |
| 340 | } | |
| 341 | ||
| 290 | 342 | "$@" |
| 374 | 374 | -pkeyopt rsa_pss_keygen_md:sha256 -pkeyopt rsa_pss_keygen_saltlen:32 | \ |
| 375 | 375 | ./mkcert.sh geneenocsr "Server RSA-PSS restricted cert" \ |
| 376 | 376 | server-pss-restrict-cert rootkey rootcert |
| 377 | ||
| 378 | # CT entry | |
| 379 | ./mkcert.sh genct server.example embeddedSCTs1-key embeddedSCTs1 embeddedSCTs1_issuer-key embeddedSCTs1_issuer ct-server-key |
| 62 | 62 | if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture)))) |
| 63 | 63 | goto end; |
| 64 | 64 | fixture->test_case_name = test_case_name; |
| 65 | fixture->epoch_time_in_ms = 1473269626000ULL; /* Sep 7 17:33:46 2016 GMT */ | |
| 65 | fixture->epoch_time_in_ms = 1580335307000ULL; /* Wed 29 Jan 2020 10:01:47 PM UTC */ | |
| 66 | 66 | if (!TEST_ptr(fixture->ctlog_store = CTLOG_STORE_new()) |
| 67 | 67 | || !TEST_int_eq( |
| 68 | 68 | CTLOG_STORE_load_default_file(fixture->ctlog_store), 1)) |
| 157 | 157 | if (!TEST_ptr(text_buffer = BIO_new(BIO_s_mem())) |
| 158 | 158 | || !TEST_true(X509V3_EXT_print(text_buffer, extension, |
| 159 | 159 | X509V3_EXT_DEFAULT, 0))) |
| 160 | goto end; | |
| 161 | ||
| 162 | /* Append \n because it's easier to create files that end with one. */ | |
| 163 | if (!TEST_true(BIO_write(text_buffer, "\n", 1))) | |
| 160 | 164 | goto end; |
| 161 | 165 | |
| 162 | 166 | /* Append \0 because we're about to use the buffer contents as a string. */ |